<html>
<head><meta charset="utf-8"><title>Indicating unsafe implementations of safe traits · t-lang/wg-unsafe-code-guidelines · Zulip Chat Archive</title></head>
<h2>Stream: <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/index.html">t-lang/wg-unsafe-code-guidelines</a></h2>
<h3>Topic: <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Indicating.20unsafe.20implementations.20of.20safe.20traits.html">Indicating unsafe implementations of safe traits</a></h3>

<hr>

<base href="https://rust-lang.zulipchat.com">

<head><link href="https://rust-lang.github.io/zulip_archive/style.css" rel="stylesheet"></head>

<a name="223755331"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Indicating%20unsafe%20implementations%20of%20safe%20traits/near/223755331" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jake Goulding <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Indicating.20unsafe.20implementations.20of.20safe.20traits.html#223755331">(Jan 23 2021 at 15:38)</a>:</h4>
<p>I want to put a raw pointer into a HashSet. However, the implementation of Hash / Borrow require accessing the pointers data. That means I need to have something like:</p>
<div class="codehilite" data-code-language="Rust"><pre><span></span><code><span class="k">impl</span><span class="w"> </span><span class="n">Borrow</span><span class="o">&lt;</span><span class="kt">str</span><span class="o">&gt;</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">RawStr</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w">    </span><span class="k">fn</span> <span class="nf">borrow</span><span class="p">(</span><span class="o">&amp;</span><span class="bp">self</span><span class="p">)</span><span class="w"> </span>-&gt; <span class="kp">&amp;</span><span class="kt">str</span> <span class="p">{</span><span class="w"></span>
<span class="w">        </span><span class="k">unsafe</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="bp">self</span><span class="p">.</span><span class="n">as_str</span><span class="p">()</span><span class="w"> </span><span class="p">}</span><span class="w"></span>
<span class="w">    </span><span class="p">}</span><span class="w"></span>
<span class="p">}</span><span class="w"></span>
</code></pre></div>
<p>This means that someone could call these trait methods without realizing the safety invariants they need to uphold. </p>
<p>In my case, I’m going to put it in a tightly controlled module and wrap it in a newtype, but I can foresee accidentally leaking some “safe” method that is actually unsafe. Are there any good suggestions to protect myself and my users?</p>



<a name="223755341"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Indicating%20unsafe%20implementations%20of%20safe%20traits/near/223755341" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jake Goulding <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Indicating.20unsafe.20implementations.20of.20safe.20traits.html#223755341">(Jan 23 2021 at 15:38)</a>:</h4>
<p>I want to put a raw pointer into a HashSet. However, the implementation of Hash / Borrow require accessing the pointers data. That means I need to have something like:</p>
<div class="codehilite" data-code-language="Rust"><pre><span></span><code><span class="k">impl</span><span class="w"> </span><span class="n">Borrow</span><span class="o">&lt;</span><span class="kt">str</span><span class="o">&gt;</span><span class="w"> </span><span class="k">for</span><span class="w"> </span><span class="n">RawStr</span><span class="w"> </span><span class="p">{</span><span class="w"></span>
<span class="w">    </span><span class="k">fn</span> <span class="nf">borrow</span><span class="p">(</span><span class="o">&amp;</span><span class="bp">self</span><span class="p">)</span><span class="w"> </span>-&gt; <span class="kp">&amp;</span><span class="kt">str</span> <span class="p">{</span><span class="w"></span>
<span class="w">        </span><span class="k">unsafe</span><span class="w"> </span><span class="p">{</span><span class="w"> </span><span class="bp">self</span><span class="p">.</span><span class="n">as_str</span><span class="p">()</span><span class="w"> </span><span class="p">}</span><span class="w"></span>
<span class="w">    </span><span class="p">}</span><span class="w"></span>
<span class="p">}</span><span class="w"></span>
</code></pre></div>
<p>This means that someone could call these trait methods without realizing the safety invariants they need to uphold. </p>
<p>In my case, I’m going to put it in a tightly controlled module and wrap it in a newtype, but I can foresee accidentally leaking some “safe” method that is actually unsafe. Are there any good suggestions to protect myself and my users?</p>



<a name="223755786"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Indicating%20unsafe%20implementations%20of%20safe%20traits/near/223755786" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Mario Carneiro <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Indicating.20unsafe.20implementations.20of.20safe.20traits.html#223755786">(Jan 23 2021 at 15:48)</a>:</h4>
<p>I think the most likely avenue for making this work is to ensure that the trait impl is private, which, since that's not a thing, probably means that users can't be given access to <code>RawStr</code> and/or <code>HashSet&lt;RawStr, ...&gt;</code> at all</p>



<a name="223756917"></a>
<h4><a href="https://rust-lang.zulipchat.com#narrow/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Indicating%20unsafe%20implementations%20of%20safe%20traits/near/223756917" class="zl"><img src="https://rust-lang.github.io/zulip_archive/assets/img/zulip.svg" alt="view this post on Zulip" style="width:20px;height:20px;"></a> Jake Goulding <a href="https://rust-lang.github.io/zulip_archive/stream/136281-t-lang/wg-unsafe-code-guidelines/topic/Indicating.20unsafe.20implementations.20of.20safe.20traits.html#223756917">(Jan 23 2021 at 16:13)</a>:</h4>
<p>Yep, that’s what I mean by module and newtype. Good to know that I was on the right path.</p>



<hr><p>Last updated: Aug 07 2021 at 22:04 UTC</p>
</html>